The intrusion of a group of Chinese hackers into Microsoft’s servers, which allowed access to the emails of several senior American officials, is due to a “cascade of avoidable errors” on the part of the IT giant, according to a scathing report from the US government.
• Read also: 60,000 emails hacked in a cyberattack targeting the US government
• Read also: Chinese hackers infiltrate US government email inboxes
• Read also: Artificial intelligence: OpenAI and Microsoft collaborate to create a supercomputer
The Cyber Safety Review Board (CSRB), led by the US Department of Homeland Security, conducted a seven-month investigation into the incident involving China-affiliated cyberespionage actor Storm-0558.
The operation, which was first discovered by the US State Department in June 2023, included the hacking of official and personal emails of Commerce Minister Gina Raimondo and the US Ambassador to China, Nicholas Burns.
Microsoft provides cloud-hosted IT services (remote computing), such as Azure or Office360, including the storage of sensitive data for many businesses and governments.
The report, released Monday, criticizes Microsoft’s corporate culture for being “at odds with the company’s central place in the technology ecosystem and the level of trust customers place in the company.”
“The cloud is one of the most critical infrastructures we have,” said CSRB Chairman Robert Silvers.
“It is imperative that cloud service providers prioritize security and build it in by design,” he added.
The study highlighted a series of operational and strategic decisions made by Microsoft that paved the way for the hack, including failing to identify a new employee’s compromised laptop following an acquisition business in 2021.
It also found that Microsoft failed to meet security standards at competing cloud companies, including Google, Amazon and Oracle.
“The Commission considers that this intrusion could have been avoided and should never have occurred,” asserts the report, which highlights “the cascade of avoidable errors by Microsoft which allowed this intrusion to succeed”.
The report also recommends that Microsoft develop and make public a time-bound plan to implement wide-ranging security reforms.
CSRB Vice Chairman Dmitri Alperovitch called Storm-0558 and other similar actors a “persistent and pernicious threat” that have “the ability and intent to compromise identity systems to access sensitive data , including emails from people of interest to the Chinese government.
The government thanked Microsoft, which did not immediately respond to a request for comment, for fully cooperating with its review.
